hlpce.dll

I have a very sad machine - I have disconnected this machine from the internet as it is acquiring viruses faster than I can clean them off. I have followed the HijackThis instructions in the FAQ. I have run Adaware and Spybot multiple times, both in Safe mode and in Normal mode. Each time they find more things to quarantine, fix, etc.

There is one problem in particular that is driving me crazy. There is a file - c:\windows\system32\hlpce.dll. Norton Antivirus keeps popping a Notification that this is a Backdoor.Trojan. I can't delete it because it is in use. If I boot into safe mode, the file doesn't exist. Some process is creating it each time I boot!

A google search of 'hlpce' turns up nothing.

Hijack log is available. Looking for advice. I don't want to reformat and admit defeat!! Thanks in advance.

There is one problem in particular that is driving me crazy. There is a file - c:\windows\system32\hlpce.dll. Norton Antivirus keeps popping a Notification that this is a Backdoor.Trojan. I can't delete it because it is in use.

If I boot into safe mode, the file doesn't exist. Some process is creating it each time I boot!

The file is indeed identified by Norton that *isolates*it and at the same time locks access to it's removal!

Follow these steps in the exact order specified, or they won't work properly!

1.)Disable Norton's active protection completely, and restart your computer!Unless you do so, it'll interfere!---------------------------------------------------------------2.) Download and install : "FINDnFIX.exe" from any of the links in my signature.You can skip the first log, and proceed:----------------------------------------------------------------3.) *Get ready to restart your computer.- Open the FINDnFIX\Keys1 <- Subfolder:DoubleClick on the "FIX.bat" file.-You will get a prompt preparing for auto-restart in 10 seconds.-Let it restart!-----------------------------------------------------------------4.)On restart, Go to Start/Search, and find:"hlpce.dll" (in System32 folder; as it should be visible)-When found, RightClick on the "hlpce.dll" file And select -> Cut...Immediately Goto and Open this Subfolder:C:\FINDnFIX\junkxxx <-RightClick inside it and select -> Pastehit 'ok' when/if asked on 'read only' file move prompt.*Be sure the file is now here: \junkxxx\hlpce.dll--------------------------------------------------------------------------------5.) When done, Go back up one level to the main C:\FINDnFIX folder and Run the -> "RESTORE.bat" file ,It will run and generate a log (log2.txt)Post it here, along with your hijackthis log!=============================================*Note:Do not change/move around or tamper with any of the file(s) folder(s) and path included in the 'FINDnFIX' folder.*You must be the prime account/Part of the 'Administrators' group toperform the steps above!

RightClick and select the Security tab in properties, Check the lower boxto allow 'propagated permissions from parent'.Hit apply and 'ok'!

Lastly, -Open the FINDnFIX\Files2< Subfolder:Run the -> "ZIPZAP.bat" file.It will take less than a second, quickly clean the rest and will create a zipped copy of the bad file(s) in the same folder (named as-- junkxxx.zip) and open your email client with instructions:Simply drag and drop the 'junkxxx.zip' file from the folder into the mail message and submit to the specified addresses! Thanks!*Be sure your active AV email scan is disabled as well!

Find this logfile created in the same Subfolder-- (C:\FINDnFIX\Files2):-> "FINAL.TXT" And post it!

Thank you again for such a quick response. I have some follow up questions -

1 - I actually had to uninstall Norton as the corporate version I had would not allow me to disable real time file protection.

2 - Even though the file system in NTFS, and I am logged in as an administrator, I do not get a Security tab in the Properties window for any file I select. So I am unable to make the change to allow propogated permissions from the parent.

I haven't yet run zipzap.bat as I'm unsure if I should do so without being able to change the above setting. Please help! Thanks again!

A handle was successfully obtained for the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.This key has 0 subkeys.The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.